Certificaton Objectives Exam 2
Which uppercase letter has a hexadecimal value 41?
A
Which type of tool can be used to compare results and verify a new tool by viewing data in its raw format?
A disk editor
What must be created to complete a forensic disk analysis and examination?
A report
What enables the user to run another OS on an existing physical computer (known as the host computer) by emulating a computer's hardware environment?
A virtual machine
Where do software forensics tools copy data from a suspect's disk drive?
An image file
What term refers to the number of bits in one square inch of a disk platter?
Areal density
How may computer programs be registered under copyright laws?
As literary works
Which activity involves sorting and searching through investigation findings to separate good data and suspicious data?
Filtering
Which tool enables the investigator to acquire the forensic image and process it in the same step?
Magnet AXIOM
Many password recovery tools have a feature for generating potential password lists for which type of attack?
Password dictionary
Which certificate provides a mechanism for recovering files encrypted with EFS if there is a problem with the user's original private key?
Recovery certificate
In older versions of macOS, in which fork are file metadata and application information stored?
Resource
What type of disk is commonly used with Sun Solaris systems?
SPARC
What is another term for steganalysis tools?
Steg tools
What technique has been used to protect copyrighted material by inserting digital watermarks into a file?
Steganography
Which term refers to a data-hiding technique that uses host files to cover the contents of a secret message?
Steganography
Which data-hiding technique replaces bits of the host file with other bits of data?
Substitution
After retrieving and examining evidence data with one tool, you should verify your results by performing the same tasks with other similar forensics tools.
True
All disks have more storage capacity than the manufacturer states.
True
Alternate data streams can obscure valuable evidentiary data, intentionally or by coincidence.
True
Although a disk editor gives you the most flexibility in testing, it might not be capable of examining a compressed file's contents.
True
Bitmap images are collections of dots, or pixels, in a grid format that form a graphic.
True
Computers used several OSs before Windows and MS-DOS dominated the market.
True
Ext3 is a journaling version of Ext2 that has a built-in file recovery mechanism used after a crash.
True
If a file contains information, it always occupies at least one allocation block.
True
If a graphics file is fragmented across areas on a disk, you must recover all the fragments before re-creating the file.
True
In Microsoft file structures, sectors are grouped to form clusters, which are storage allocation units of one or more sectors.
True
It's possible to create a partition, add data to it, and then remove references to the partition so that it can be hidden in Windows.
True
One way to examine a partition's physical level is to use a disk editor, such as WinHex, or Hex Workshop.
True
Software forensic tools are grouped into command-line applications and GUI applications.
True
Some notable UNIX distributions included Silicon Graphics, Inc. (SGI) IRIX, Santa Cruz Operation (SCO) UnixWare, Sun Solaris, IBM AIX, and HP-UX.
True
The Internet is the best source for learning more about file formats and their extensions.
True
The pipe (|) character redirects the output of the command preceding it.
True
The type of file system an OS uses determines how data is stored on the disk.
True
To help determine which computer forensics tool to purchase, a comparison table of functions, subfunctions, and vendor products is useful.
True
Under copyright laws, maps and architectural plans may be registered as pictorial, graphic, and sculptural works.
True
Devices used to prevent data from being written to a disk can connect to a computer through FireWire, SATA, PATA, and SCSI controllers as well as which other type of controller?
USB 2.0 and 3.0
Which filename refers to a core Win32 subsystem DLL file?
User32.sys
What is the largest disk partition Ext4f can support?
16 TB
At what hard link count is a file effectively deleted?
0
On a Linux computer, what contains group memberships for the local system?
/etc/group
In Linux, in which directory are most applications and commands stored?
/usr
Which images store graphics information as grids of pixels?
Bitmap
What specifies the Windows XP path installation and contains options for selecting the Windows version?
Boot.ini
Which NIST project manages research on forensics tools?
CFTT
What term refers to recovering fragments of a file?
Carving
What type of laws should computer investigators be especially aware of when working with image files in order to avoid infringement violations?
Copyright
What term refers to a column of tracks on two or more disk platters?
Cylinder
The file or folder's MFT record provides cluster addresses where the file is stored on the drive's partition. What are these cluster addresses called?
Data runs
What is the name of the optional built-in encryption that Microsoft added to NTFS when Windows 2000 was introduced?
EFS
In which format are most digital photographs stored?
EXIF
If a graphics file cannot be opened in an image viewer, what should the next step be?
Examining the file's header data
What was the early standard Linux file system?
Ext2
Which acronym refers to the file structure database that Microsoft originally designed for floppy disks?
FAT
All TIF files start at position zero (offset 0 is the first byte of a file) with hexadecimal 49 49 3B.
False
As data is added, the MFT can expand to take up 75% of the NTFS disk.
False
Because there are a number of different versions of UNIX and Linux, these OSs are referred to as CLI platforms.
False
From a network forensics standpoint, there are no potential issues related to using virtual machines.
False
Hardware manufacturers have designed most computer components to last about 36 months between failures.
False
In macOS volume fragmentation is kept to a minimum by removing clumps from larger files.
False
In software acquisition, there are three types of data-copying methods.
False
Operating systems do not have tools for recovering image files.
False
Steganography cannot be used with file formats other than image files.
False
The HFS and HFS+ file systems have four descriptors for the end of a file (EOF).
False
The first 5 bytes (characters) for all MFT records are FILE.
False
Typically, a virtual machine consists of just one file.
False
Windows OSs do not have a kernel.
False
macOS is built with the new Apple File System (APFS). The current version offers better security, encryption, and performance speeds, but users can't mount HFS+ drives.
False
How many components define the file system on UNIX/Linux?
Four
What tools are used to create, modify, and save bitmap, vector, and metafile graphics?
Graphics editors
The first MS-DOS tools that analyzed and extracted data from floppy disks and hard disks were used with which type of PC file systems?
IBM
Which standards document demands accuracy for all aspects of the testing process?
ISO 5725
In a file's inode, what are the first 10 pointers called?
Indirect pointers
Which JFIF format has a hexadecimal value of FFD8 FFE0 in the first four bytes?
JPEG
Which term is often used when discussing Linux because technically, Linux is only the core of the OS?
Kernel
In macOS, in addition to allocation blocks, what kind of blocks do volumes have?
Logical blocks
Which type of compression compresses data permanently by discarding bits of information in the file?
Lossy
What is on an NTFS disk immediately after the Partition Boot Sector?
MFT
What are records in the MFT called?
Metadata
Which entity publishes articles, provides tools, and creates procedures for testing and validating computer forensics software?
NIST
Which filename refers to the device driver that allows the OS to communicate with SCSI or ATA drives that aren't related to the BIOS?
NTBootdd.sys
Which filename refers to a 16-bit real-mode program that queries the system for device and configuration data, and then passes its findings to Ntldr?
NTDetect.com
Which acronym refers to the file system that was introduced when Microsoft created Windows NT and that remains the main file system in Windows 10?
NTFS
Which filename refers to the Windows XP system service dispatch stubs to executables functions and internal support functions?
Ntdll.dll
Which filename refers to the physical address support program for accessing more than 4 GB of physical RAM?
Ntkrnlpa.exe
Macintosh moved to the Intel processor and became UNIX based with which operating system?
OS X
From which file format is the image format XIF derived?
TIF
Which digital forensics tool is categorized as a single-purpose hardware component?
Tableau T35es-R2 SATA/IDE eSATA bridge
In macOS, what stores any file information not in the Master Directory Block or Volume Control Block?
The Extents Overflow File
In older versions of macOS, where is all information about the volume stored?
The Master Directory Block (MDB)
What macOS system application tracks each block on a volume to determine which blocks are in use and which ones are available to receive data?
The Volume Bitmap
Where are directories and files stored on a disk drive?
The data block
In macOS, which fork typically contains data the user creates?
The data fork
When Microsoft created Windows 95, into what were initialization (.ini) files consolidated?
The registry
What is the general term for software or hardware that is used to protect evidence disks by preventing data from being written to them?
Write-blockers
Which header starts with hexadecimal 49 49 2A and has an offset of four bytes of 5C 01 00 00 20 65 58 74 65 6E 64 65 64 20 03?
XIF
How do most manufacturers deal with a platter's inner tracks having a smaller circumference than its outer tracks?
ZBR
What Linux command is used to create the raw data format?
dd
In Windows 2000 and later, which command shows you the file owner if you have multiple users on the system or network?
dir
Building your own forensics workstation:
requires the time and skills necessary to support the chosen hardware.